ietf
[Top] [All Lists]

Re: dmarc damage, was gmail users read on... [bozo subtopic]

2014-09-11 15:33:58


--On Thursday, September 11, 2014 10:30 -0700 Doug Barton
<dougb(_at_)dougbarton(_dot_)us> wrote:

John Klensin,

If you don't like that solution, what solution do you propose
to deal with the large (by volume) installed base of DMARC
domains relative to mailing list traffic? It's fine and good
to talk about theory, more power to ya. :)  But as Brian
pointed out the volume of list traffic that is being shunted
to spam folders, or outright rejected, is only increasing.
Continuing to complain about DMARC, or the way it's being
used, is wasted electrons.

I proposed creating a draft for a standardized way of encoding
the original from address to the left of the @ sign so that
the mailing list sender could create a valid DKIM record, but
clients could be taught to decode the original From:.  You and
others pooh-pooh'ed that suggestion, but I haven't seen a
better one yet.

I don't recall "pooh-pooh"-ing anything, but as many people here
are aware, I've got a deep aversion, based on extensive
experience, to tampering with headers in transit.  From that
point of view, a fancy encoding of the local part is not
significantly different from the "rewrite to point to the mail
exploder" technique John Levine mentioned.

As to a solution, I believe that a key reason the Internet has
gotten this far -- both technically and in terms of convincing
regulators and the like to let us rely on "multistakeholder"
solutions rather than extensive formal regulation -- depends on
organizations with market power (by volume) exercising good
judgment and moderation when it is discovered that their actions
hurt others or force others to incur significant expense.  I
sincerely hope that the newly-created WG will move expeditiously
to modify DMARC so that it stops causing these problems and that
the major (by volume) organizations who have deployed DMARC will
then rapidly make adopt those changes.   From that perspective,
"we deployed this neat thing, if it hurts you and your perfectly
standards-conforming application, suck it up" just doesn't work
for me regardless of what the parties with those other
applications might apply as remedies.  

I hope I'm not getting too hysterical about this but, if DMARC
"works" in the sense that the organizations who created it can
effectively force everyone else to adapt or find themselves at a
severe disadvantage, what is to prevent the same actors from
collaborating on new core email protocols (replacing SMTP and
the header specs).   We probably all agree that those specs are
showing their age and that we would do things differently if we
started over today and didn't need to worry about the installed
base.  We probably don't agree on what changes should be made
and the IETF has traditionally been quite careful about that
installed base.  But suppose some consortium of large actors
came along and said "we have designed a new set of mail
protocols that will provide our users a better experience" (or,
to be cynical, provide us with better advertising opportunities)
"and good luck to you in designing gateways".  Would we accept
that in the same way that you and others seem to be urging ways
to accommodate to DMARC?  I fear for the notion of an open
Internet if the answer is "yes", but probably see less
difference between that case and the DMARC one than you and
others may.

Maybe things just look better from my applications perspective
looking down the stack, but my impression is that most of the
major corporate actors in, e.g., routing, the network layer, and
operations are still behaving more or less consistently with
that historical cooperative model.  But some of the active
forces in the applications layer, seemingly especially where
email is concerned, seem to have lost sight of it or concluded
that is is not in their interest to do so.  I find that pretty
troubling.  

Now, perhaps my view is outdated and naive and our present
reality is that any convenient 300 pound gorilla (or a
consortium of them) can (and will) do whatever they like and
expect others to conform.  If that is so, I question the
long-term future of the IETF and voluntary,
individual-participation, standardization efforts, both because
market power becomes a more economical and effective substitute
for open standards and because this is exactly the sort of thing
that causes other actors to decide that external adult
supervision is needed (with them picking the "adults").

  best,
    john